[et1337]

I'm a big fan of the "email-only" login. Type your email address, hit login, switch to your email app, click the link, and you're logged in forever. If you don't have a password manager, it's probably what you do most of the time anyway via the forgotten password interface.

[crazygringo]

Except for when you click the 'refresh' button 20 times in your e-mail app and the e-mail still hasn't arrived. And then you check your spam folder, maybe it went there? Nope. And then for some reason, ten minutes later the e-mail shows up.

I don't know whether it's sites that add outgoing e-mails to a backed-up queue, or if it's an anti-spam heuristic somewhere adding the delay, or delay on the servers of your own webmail service, or whatever combination of these, but unfortunately it's certainly not always as simple as "switch to your email app, click the link".

[zanny]

I'm more a fan of how Persona does it, where you don't click a link at all, just enter your email and the Persona server checks a cookie secret you have to authenticate you.

Fundamentally the solution to all this is that you should have a signin at least once (to get your identifier keys securely) but then every website should authenticate against your keys, not against a username and password, and it should be transparent so as long as you are logged into an "account" you have personal keys for that identity that correspond to all the other services you use.

Really, its how the desktop works, and it is how the web should work, since they are converging and all.

[shillster]

Passing tokens around via email isn't very secure. Its not like email is encrypted.

[username223]

Right, but an expiring, single-use link that will send a second email saying "someone from X place just logged in, so contact us if this wasn't you" is still good enough in most cases. To see that, ask which sites will send you a password reset mail when you forget your password. My bank certainly won't -- I have to talk to a person -- but most others do, making their passwords useless.

[rp_yogat]

This is not necessarily through email. I was referring to the scenario where the the user has both screens open and is being shown the token on one and typing it on the other. I agree about the insecurity of email.

[snowwrestler]

Email is just about the least-secure authentication path I can think of. Knowing what we know now, it shouldn't even be used for "forgot password," really. SMS, a phone call, heck even a Facebook message would be more secure.

[rp_yogat]

agree! HN has this and i love it

[mattmanser]

No it doesn't. It has a standard username/password/forgotten email me setup.

What et1337 means is that you never even create a password, you literally login by putting just your email in, switching to your email, and clicking the link provided.

Given that most sites require you to do this when you first create an account to prove you own the email anyway, what was the point of having a password?

[gear54rus]

For cases when you want to trust this computer for logging you into X, but not into your email (compromised it lets anyone use anything that is yours), obviously.